New Chameleon spam campaign often changes email templates

• The subject lines and body of the spam emails are kept brief and meaningful in order to lure unsuspicious victims to click on the embedded link.
• Most of the URLs embedded in these spam emails appear to be of compromised WordPress sites.

Researchers from Trustwave have spotted a new wave of various spam campaigns that are from the same spam botnet. This campaign is dubbed as ‘Chameleon’ since it often changes its email templates.

More details about the campaign

Researchers started tracking the spam emails sent from the botnet since August 14, 2019, and observed that this spam campaign often resembles phishing emails, however, the messages have randomized email headers.

• The spam messages originate from geographically distributed sources, however, they used similar unique SMTP transaction commands on connection.
• The spam messages have randomized email headers with meaningless text that are inserted at random positions within the email header.
• The subject lines and body of the spam emails are kept brief and meaningful in order to lure unsuspicious victims to click on the embedded link.
• Most of the URLs embedded in these spam emails appear to be of compromised WordPress sites.
• The email body HTML has random HTML elements inserted at random positions within legit HTML tags.

Variants of spam emails

Researchers noted that the spam botnet sent out variants of spam emails, which include:

• Fake job offer emails
• Fake Google personal or private messages
• Fake email account security alerts
• Fake broken or undelivered email messages from a mail server
• Fake LinkedIn message and profile view messages
• Fake FedEx delivery notifications
• Fake airline booking invoice emails

Some of the subject lines used in these spam emails include:

• Hi! do you need a job? (Margarida, ex.colleague)
• Message notification
• You have two broken emails
• Security alert for your LinkedIn profile
• A package containing confidential personal information was sent to you

Worth noting

The spam emails included embedded URLs. Upon examining the URLs, researchers determined that the scammers used compromised WordPress sites as intermediary nodes to host part of their infrastructure on. A redirector JavaScript code is hosted on such compromised WordPress sites in order to route traffic onto the malicious infrastructure.

“Clicking and following the embedded links in the spam message we noticed that our test browser was bounced off a couple of redirector sites before it reached the final landing page. Looking closer, we observed that all the spam links pointed to initial redirector pages hosting the same JavaScript content,” researchers said.